diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index f8f45d1c..6b06b3e6 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -2,76 +2,36 @@ name: CI
 
 on:
   push:
-    branches: [ master, release ]
+    branches: [master, release]
   pull_request:
-    branches: [ master ]
-  pull_request_target:
     branches: [master]
   release:
-    types: [ published ]
-
+    types: [published]
 
 jobs:
-
   test:
-    if: |
-      (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') ||
-      (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]')
-    name: Run tests
-    strategy:
-      matrix:
-        python-version: ['3.8', '3.9', '3.10']
-        os: [ubuntu, macos, windows]
-      fail-fast: false
-    runs-on: ${{ matrix.os }}-latest
-    env:
-      PYTHONIOENCODING: utf-8
+    name: All checks are passed
+    uses: ./.github/workflows/test.yaml
+
+  approve:
+    name: Approve bot PR
+    runs-on: ubuntu-latest
+    if: endsWith(github.actor, '[bot]')
+    needs: test
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
-      - name: Checkout commit
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Install python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: metadata
+        id: metadata
+        if: github.actor == 'dependabot[bot]'
+        uses: dependabot/fetch-metadata@v2
         with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Cache Python and its deps
-        uses: actions/cache@v3
-        with:
-          key: ${{ runner.os }}-python-${{ matrix.python-version }}-${{ hashFiles('requirements/*.txt') }}
-          path: ${{ env.pythonLocation }}
-
-      - name: Install GNU libraries for MacOS
-        if: matrix.os == 'macos'
-        shell: bash
-        run: |
-          HOMEBREW_NO_AUTO_UPDATE=1 brew install findutils
-          echo PATH="/usr/local/opt/findutils/libexec/gnubin:$PATH" >> $GITHUB_ENV
-
-      - name: Install python dependencies
-        run: |
-          make setup
-
-      - name: Configure environment
-        run: |
-          neuro config login-with-token ${{ secrets.CLIENT_TEST_E2E_USER_NAME }} https://dev.neu.ro/api/v1
-          neuro --color=no config show
-
-      - uses: webfactory/ssh-agent@v0.7.0
-        # Authenticates ssh on worker to pull repos under github.com/neuro-actions via ssh
-        # Y.S. key is used
-        with:
-          ssh-private-key: ${{ secrets.GH_NF_ACTIONS_SSH_PRIVATE }}
-          log-public-key: false
-
-      - name: Lint
-        run: |
-          make lint
-
-      - name: Run tests
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Enable auto-merge for bot PRs
+        run: gh pr merge --auto --squash --delete-branch "$PR_URL"
         env:
-          NEURO_USER: ${{ secrets.CLIENT_TEST_E2E_USER_NAME }}
-        run: |
-          make test
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/remove-automerge.yml b/.github/workflows/remove-automerge.yml
deleted file mode 100644
index ae8dd8e8..00000000
--- a/.github/workflows/remove-automerge.yml
+++ /dev/null
@@ -1,36 +0,0 @@
-name: Disable auto-merge
-on:
-  workflow_run:
-    workflows:
-      - CI
-    types:
-      - completed
-
-permissions:
-  pull-requests: write
-  contents: write
-
-jobs:
-  Run:
-    runs-on: ubuntu-latest
-    # pull_request or pull_request_target initiated by dependabot
-    if: ${{ startsWith(github.event.workflow_run.event, 'pull_request') &&
-            github.event.workflow.pull_requests[0].auto_merge != null &&
-            contains(github.event.pull_requests[0].labels.*.name, 'dependencies') }}
-    steps:
-    - id: generate_token
-      uses: tibdex/github-app-token@v1
-      with:
-        app_id: ${{ secrets.BOT_APP_ID }}
-        private_key: ${{ secrets.BOT_PRIVATE_KEY }}
-    - name: PR number
-      run: echo "$PR_NUMBER"
-      env:
-        PR_NUMBER: ${{ github.event.workflow.pull_requests[0].number }}
-    - name: Remove automerge
-      if: ${{ github.event.workflow.conclusion != 'success' }}
-      run: |
-        gh pr merge --disable-auto "$PR_NUMBER"
-      env:
-        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-        PR_NUMBER: ${{ github.event.workflow.pull_requests[0].number }}
diff --git a/.github/workflows/setup-automerge.yml b/.github/workflows/setup-automerge.yml
deleted file mode 100644
index c0c98fa6..00000000
--- a/.github/workflows/setup-automerge.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-name: Enable auto-merge
-on:
-  pull_request_target:
-    types: [opened]
-
-permissions:
-  pull-requests: write
-  contents: write
-
-jobs:
-  dependabot:
-    runs-on: ubuntu-latest
-    # either dependabot, or update-neuro-flow-actions flow
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-    - id: generate_token
-      uses: tibdex/github-app-token@v1
-      with:
-        app_id: ${{ secrets.BOT_APP_ID }}
-        private_key: ${{ secrets.BOT_PRIVATE_KEY }}
-    - name: metadata
-      id: metadata
-      uses: dependabot/fetch-metadata@v1.3.5
-      with:
-        github-token: ${{ steps.generate_token.outputs.token }}
-    - name: Enable auto-merge for bot PRs
-      run: gh pr merge --auto --squash --delete-branch "$PR_URL"
-      env:
-        PR_URL: ${{ github.event.pull_request.html_url }}
-        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-
-  other:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-    - id: generate_token
-      uses: tibdex/github-app-token@v1
-      with:
-        app_id: ${{ secrets.BOT_APP_ID }}
-        private_key: ${{ secrets.BOT_PRIVATE_KEY }}
-    - name: Set label for pre-commit
-      if: ${{ github.actor == 'pre-commit-ci[bot]' || github.actor == 'neu-ro-github-bot[bot]'}}
-      run: |
-        gh pr edit --add-label 'dependencies' "$PR_URL"
-      env:
-        PR_URL: ${{github.event.pull_request.html_url}}
-        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-    - name: Set label for all-repos
-      if: ${{ contains(github.event.pull_request.body,
-              'Committed via https://github.com/asottile/all-repos') }}
-      run: |
-        URL="/repos/${GITHUB_REPOSITORY}/collaborators/${GITHUB_ACTOR}/permission"
-        echo "Test user permissions: $URL"
-        PERM=$(gh api "$URL" --jq ".permission") || RET=$?
-        echo "$RET: $PERM"
-        if [[ -z "$RET" && ("$PERM" = 'write' || "$PERM" = 'admin') ]]; then
-          echo "Add label 'dependencies'"
-          gh pr edit --add-label 'dependencies' "$PR_URL"
-          echo "AUTOMERGE=1" >> $GITHUB_ENV
-        fi
-      env:
-        PR_URL: ${{github.event.pull_request.html_url}}
-        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-    - name: Enable auto-merge if labeled
-      if: ${{ env.AUTOMERGE || (
-                  github.actor != 'dependabot[bot]' &&
-                  contains(github.event.pull_request.labels.*.name, 'dependencies')
-              ) }}
-      run: gh pr merge --auto --squash --delete-branch "$PR_URL"
-      env:
-        PR_URL: ${{github.event.pull_request.html_url}}
-        GH_TOKEN: ${{ steps.generate_token.outputs.token }}
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
new file mode 100644
index 00000000..bd82ac00
--- /dev/null
+++ b/.github/workflows/test.yaml
@@ -0,0 +1,63 @@
+on:
+  workflow_call: {}
+
+jobs:
+  test:
+    name: Run tests
+    strategy:
+      matrix:
+        python-version: ["3.8", "3.9", "3.10"]
+        os: [ubuntu, macos, windows]
+      fail-fast: false
+    runs-on: ${{ matrix.os }}-latest
+    env:
+      PYTHONIOENCODING: utf-8
+    steps:
+      - name: Checkout commit
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Install python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Cache Python and its deps
+        uses: actions/cache@v3
+        with:
+          key: ${{ runner.os }}-python-${{ matrix.python-version }}-${{ hashFiles('requirements/*.txt') }}
+          path: ${{ env.pythonLocation }}
+
+      - name: Install GNU libraries for MacOS
+        if: matrix.os == 'macos'
+        shell: bash
+        run: |
+          HOMEBREW_NO_AUTO_UPDATE=1 brew install findutils
+          echo PATH="/usr/local/opt/findutils/libexec/gnubin:$PATH" >> $GITHUB_ENV
+
+      - name: Install python dependencies
+        run: |
+          make setup
+
+      - name: Configure environment
+        run: |
+          neuro config login-with-token ${{ secrets.CLIENT_TEST_E2E_USER_NAME }} https://dev.neu.ro/api/v1
+          neuro --color=no config show
+
+      - uses: webfactory/ssh-agent@v0.7.0
+        # Authenticates ssh on worker to pull repos under github.com/neuro-actions via ssh
+        # Y.S. key is used
+        with:
+          ssh-private-key: ${{ secrets.GH_NF_ACTIONS_SSH_PRIVATE }}
+          log-public-key: false
+
+      - name: Lint
+        run: |
+          make lint
+
+      - name: Run tests
+        env:
+          NEURO_USER: ${{ secrets.CLIENT_TEST_E2E_USER_NAME }}
+        run: |
+          make test